Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue with eval in Dashboard XML Source

MERBAG
Explorer
‎01-07-2020 05:03 AM

Hey all,

Cause of the Y2K bug we recently did an upgrade of our Splunk environment to version 8.0.1 - after this upgrade we do face a strange issue, which does not make any sense for us and maybe looks like a bug or something, let me explain what we have. In one of our Dashboards we do create several timestamps using the eval method, here the code:

<eval token="STARTFROMDISPLAY">mvindex(split($click.value$,"-"),0)</eval> 
<eval token="STARTFROMMACHINE">strptime($STARTFROMDISPLAY$, "%d.%m.%Y %H:%M")</eval> 
<eval token="STARTFROMADMACHINE">relative_time($STARTFROMMACHINE$, "-0d@d")</eval> 
<eval token="ENDATADMACHINE">relative_time($STARTFROMMACHINE$, "+1d@d")</eval>

After those did run, the variables do have the following values:

  • STARTFROMDISPLAY: 07.01.2020 09:52
  • STARTFROMMACHINE: 1578387120 (07.01.2020 09:52)
  • STARTFROMADMACHINE: 1578351600 (07.01.2020 00:00)
  • ENDATADMACHINE: 1577833200 (01.01.2020 00:00)

So far so good, this is where the issue starts, if you convert these timestamps to actual dates (see above) everything is fine, except for ENDATADMACHINE this is for some reason poiting to the last years end, instead to 08.01.2020 00:00 which it should and would be correct.

To make sure there is no error in the code, we did create a small and simple search (not in XML) to reproduce:

index=dhcp 
| eval STARTFROMMACHINE = strptime("07.01.2020 09:52", "%d.%m.%Y %H:%M") 
| eval STARTFROMADMACHINE = relative_time(STARTFROMMACHINE, "-0d@d")
| eval ENDATADMACHINE = relative_time(STARTFROMMACHINE, "+1d@d")
| table STARTFROMMACHINE, STARTFROMADMACHINE, ENDATADMACHINE

The output values of this search do look like this:

  • STARTFROMMACHINE: 1578387120 (07.01.2020 09:52)
  • STARTFROMADMACHINE: 1578351600 (07.01.2020 00:00)
  • ENDATADMACHINE: 1578438000 (08.01.2020 00:00)

So to summarize the issue in one sentence: The relative_time(sometimestring, "+1d@d" does not work while using eval in the XML, but it does work if used within a search.
Does anyone have an idea what is going on here? Please let me know if you need any additional information.

Thanks.

0 Karma
Reply

MERBAG
Explorer
‎01-08-2020 05:13 AM

@niketnilay Thanks a lot for your reply. Not sure if you understood my issue correctly, since what you sent here is more like a workaround than a solution to our issue.

Therefore a quick update from my site - the issue is only happening when the dashboard needs to display something from the current day, so it looks like there is a bug or something to modify the date to a date in the future in the Dashboard XML - in the normal search everything is still working normal, also this was working before we did the update to 8.0.1

0 Karma
Reply

niketn
Legend
‎05-21-2020 09:43 AM

@MERBAG it is not workaround it is the possible solution based on expected behavior or <eval> to set token in Simple XML using relative_time(). Have you tried changing the Logged in User's timezone to GMT and whether issue is still observed or not?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎01-07-2020 12:24 PM

@MERBAG I think this has been called out in the uses of eval to set the token in the dashboard using relative_time: https://docs.splunk.com/Documentation/Splunk/latest/Viz/tokens#Define_token_filtering_and_formatting

For your use case you can passed the clicked value as a token to an Independent Search which will set the required tokens. Following is an example:

    <!-- Independent search to set token for time -->
    <search>
      <query>| makeresults 
  | eval clickedValue="$click.value$"
  | eval STARTFROMMACHINE = strptime(mvindex(split(clickedValue,"-"),0), "%d.%m.%Y %H:%M") 
  | eval STARTFROMADMACHINE = relative_time(STARTFROMMACHINE, "-0d@d") 
  | eval ENDATADMACHINE = relative_time(STARTFROMMACHINE, "+1d@d") 
  | table STARTFROMMACHINE, STARTFROMADMACHINE, ENDATADMACHINE </query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
      <sampleRatio>1</sampleRatio>
      <done>
        <set token="tokSTARTFROMMACHINE">$result.STARTFROMMACHINE$</set>
        <set token="tokSTARTFROMADMACHINE">$result.STARTFROMADMACHINE$</set>
        <set token="tokENDATADMACHINE">$result.ENDATADMACHINE$</set>
      </done>
    </search>

You can refer to one of my answers on similar lines where I have used Independent Search to set required tokens. https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...